Blackice Pc Proctection

Discussion in 'other firewalls' started by achilles, Oct 31, 2002.

Thread Status:
Not open for further replies.
  1. achilles

    achilles Registered Member

    Joined:
    Oct 30, 2002
    Posts:
    7
    Location:
    Canada
    Well I finally took the firewall plunge and installed one last night. Someone had given me a boxed version of Blackice Pc Protection and I installed it and updated it.No problems so far, loads up quick and fairly light on resources. Up until now I had been using the built in firewall that came with WinXP. I had done a few scans online and all ports always showed up as stealthed. With blackice enabled and WinXP firewall disabled ports 80 and 113 show up as closed but not stealthed.Anyway no big deal I found out how to stealth this ports. My question is what do you guys think of Blackice? I did some searching around and like most software some say it's better than a traditional firewall because of its IDS, others say it's not secure enough.As I am not that savvy with firewalls I want to hear what the experts on this forum have to say, keep it or get something else?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi achilles, :)

    It should be interesting to see what opinions you get here regarding the BlackIce product. I have not used it myself, but have read that there have been improvments in the product over recent times, which may superceed some peoples concerns from previous versions.

    There is an interesting thread over at DSLR regarding BlackIce. (If you go to the link below, read it all. There is some misinformation sitting side by side with some information and opinion. ;) )

    http://www.dslreports.com/forum/remark,4836737~root=security,1~mode=flat

    Obviously, you know about the various scanning sites, since you've done some testing already. For myself, to judge if a firewall is working at a basic level, I just check to see if its showing either closed or stealth ports at the scanning sites, when I know I have ports open (listening) for local usage. Then, there are leak tests, if you are interested in testing outbound protection. Although, there is a lot of debate regarding how valid leak tests are. I just fire up a few different network aware apps and see if the firewall let's me know if/when they try to make network access and see what happens if I refuse permission.

    These simple tests, while clearly not noteworthy to the world of firewall testing, do tell me if a firewall appears to be doing its basic functions, convering inbound and outbound security. Combining that with what I can read at sites like this gives me the ability to decide if the product is worth using/keeping.

    Best wishes on this,
    LowWaterMark
     
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hi achilles. I guess my first concern is do you have the latest version?
    Early versions offered no outgoing protection, thus the were concidered to be an IDS rather than a firewall. IDS is intrusion detection system, in case you were'nt familiar with that and the fact that BID has an IDS is by no means a ringing endorsement of excellence. Sygate and Outpost both have IDSs as I'm aware of and probably other firewalls have them too. Some like to make a big deal of it, to me its just part of what needs to be there in some form in a good firewall.
    I personally would recommend, depending on skill level and surfing habits, LookNStop, Sygate, Kerio, Outpost, and for the very basic beginner ZA. (You asked) :)
    I am not familiar with the current version of BID so I won't knock it. I have heard concerns voiced about it, but the same goes for every firewall.
    If you try to do things like surf, check email, download FTP, and stuff like that, if the firewall doesn't require to to set up some rules for that, it's not doing its job.
    Also, you should get full stealth on all ports, everywhere you test, except possibly Sygate, which has had some issues lately and giving false readings.
    Better than M$s attempt at a firewall, I hope. :)
     
  4. achilles

    achilles Registered Member

    Joined:
    Oct 30, 2002
    Posts:
    7
    Location:
    Canada
    Sorry I could not respond last night guys as something came up. I am very surprised that this thread did not garner more responses judging by the reaction this product gets over at dslreports. More than any other firewall, Blackice invokes very strong reactions, be it like or dislike, and allot of misinformation. Interesting thread LowWaterMark, missed that one.Let me answer a couple of you statements. As far as the scanning Blackice stealths all ports "out of the box", except 80 and 113. This dismayed me a little, because as I had mentioned WinXP firewall stealth-ed all ports. ISS, the current owners of Blackice, say, over at their site, that these two ports being closed and not stealth-ed is not a security risk. There is allot of debate whether a stealth-ed port is more secure than a closed port, but that is something I would rather not get in to, it still would be nice if all ports were stealth-ed. As far as the leak tests, I tryed all the ones over at pcflank and Blackice passed all of them, very nice. :) Hi root, yes I do have the latest version. This version indeed does have outgoing protection and component control. Allot of people knock Blackice's component control, saying is too bothersome and asks allot of cryptic messages. I did not finds this to be true. Unless you are the type of person that installs and uninstalls ten programs a day than you should have no problem. Component control I feel offers allot more protection than just outbound control, as it alerts you when an unauthorized app. launches as well as when it tryes to connect to the net. I know there are other firewalls that have this also, and I think it's a very good feature. The only problem with the way Blackice's component control works, is that at installation, it scans you computer for all applications, so that component control launches itself for apps you install after Blackice, and you simply tell it to add that program to its database. But, if you machine is infected with a say a trojan , BEFORE you install Blackice than it will not alert you to that trojan calling home, as it sees it as a valid app. As far as Blackice having an IDS, I agree with you that, that in itself is not reason enough to buy it. But that does not mean that all IDS's are the same. I am not a computer expert to be able to say whether Blackic's IDS is better than Sygate's, but Blackice has been in the IDS market a long time. I remember back in 1998 when I first got DSL I came upon the term "firewall" as a means to keep hackers out of you computer. I then quickly lit my computer on fire, and sure enough it did keep hackers off it, as well as everything else :D. Back then, Blackice was a very well thought of IDS. I guess people feel that it did not keep up with the times, and its lack of out bound control hurt it. The controversy with what happened with Mr. Gibson also I feel hurt it in the publics eyes, justly and unjustly, anyway that is history. Root, I have tryed most of the firewalls you mentioned at some point and agree with you that those are also very good product, especially Kerio, but....I know I will get blasted for this but, I hate Zonealarm. This is one firewall that is feel has become progressively worst with every release. I had tryed Zonealarm Pro 3.xx and it was horrible. Computer hung at startup and shutdown and its a huge recourse hog, plus its become bloat ware. I do not need popup blocker or email scanner in my firewall. Anyway as usual I have gone on too long :blink:. I have had Blackice on my computer for two days only now, but so far so good. I got a perfect score,0, with the full security scan over at dslreports.com. For know I will keep it and we'll see how it goes.
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    This is not just the situation with Blackice but also with others. With the Tiny Trojan Trap (TTT) sandbox application you end up in the same exact situation. At installation, you'd better have a clean machine when it first scans and adds all existing EXEs to its list of unrestricted applications. The installation does warn you, but, how many people can be certain they have no pre-existing viral conditions unless they just came off a clean install.

    I found it useful to work my was through the database of apps (EXEs only, and yes, it took a while ;) ) and reclassify some applications to tighten things up a bit. Obviously, you could not do this at the component level (for thousands of dll files), but, perhaps you can do something like this at the EXE level.

    Well, I'm glad you're giving Blackice a good test. Perhaps you can report back you're findings as time goes by and let people know how today's Blackice stands up. :)

    Best Wishes,
    LowWaterMark
     
  6. controler

    controler Guest

    I would leave WinXP's firewall enabled :)
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Yes the stealth versus closed debate is usually a lively one ;) It sounds like you have a grasp on that and realize you are secure either way. To your credit, you took the time to learn your product and how to resolve that particular issue.

    A good point for anyone thinking of using the new BlackIce that has been mentioned eslewhere. It should be installed on a clean system to insure only trusted apps are approved in the first instance.

    Along with all the recommendations you are likely to get, an important part of the security for your system is finding something that works for you and that you are comfortable with. Keep us posted on how it goes.

    Regards

    CrazyM
     
  8. achilles

    achilles Registered Member

    Joined:
    Oct 30, 2002
    Posts:
    7
    Location:
    Canada
    Controller, may I ask why you recommend I keep WinXP firewall enabled? LowWaterMark, CrazyM I will let you know how thing go over time. :)
     
  9. Raygun

    Raygun Registered Member

    Joined:
    Apr 24, 2002
    Posts:
    31
    Location:
    The Beach!
    I've had great results with black ice. I will voice my opinion and that is the whole stealthed idea is a waste of time. Lock down your ports and do not stealth and that way you send the packet that says you hit a closed port, scanner will move on...
     
  10. danielrm26

    danielrm26 Registered Member

    Joined:
    Feb 11, 2002
    Posts:
    3
    Location:
    USA
    The new version of BlackIce is a fine piece of Security software, and I'll have words with anyone who thinks otherwise.

    Between the very strong IDS and the now strong Firewall and application protection, this product is easily a great choice for both newbies or advanced users. The only problems I have with it involve the interface; if they make some improvements there it will be a top-notch application.

    ;)
     
  11. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi Achilles,

    If you want a thoroughly scan, give a try at this one :
    https://secure1.securityspace.com/smysecure/login.html

    Free registering and choose No risk audit

    It's done by the Nessus scanner and more complete than which on
    dslreport.

    Rgds,
     
  12. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    The latest BlackICE is a great improvement over previous versions.

    I'm testing the latest version, v3.5, right now and the outgoing control seems to work flawlessly. The IDS has always been a strong point of BlackICE, so I don't believe I need to comment on that here. ;) I have noticed that resource usage is extremely low in this version, even while the IDS portion is processing large amounts of incoming data.

    No crashes so far - and it hasn't added any obvious delay to either bootup or logging on.

    Final Impression: In this latest version it seems as though BlackICE has finally caught up with the rest of the pack (with the integrated application and communications control). Online testing seems to indicate it is a good-quality, hardened firewall. I'll have to do a resource comparison at some point to see how it fares against other firewalls such as ZA, Outpost, Sygate, etc but it seems to lean towards the low end.

    Regards,

    -Javacool
     
  13. dom424

    dom424 Registered Member

    Joined:
    Aug 19, 2002
    Posts:
    41
    Location:
    Enid, OK.
    I have BID 3.5 on my 98 machine and it does great. Please come back to this thread and keep us up to date on how your testing is going on XP, any reboots etc. or any problem at all.
     
  14. controler

    controler Guest

    Why is the BlackIce makers not offereing a free or even a trial version like everyone else?
    Javacool? are you beta testing this new version?
     
  15. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    controler,

    There is an evaluation version available; check this one out ;).

    regards.

    paul
     
  16. controler

    controler Guest

    Thank You :D

    I am going to try it out... I went back to their site again and I din't see where they make the trial easy to locate.

    If you go to their main page and even click on downloads you will find it very difficult to locate the trial.

    http://www.iss.net/
     
  17. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    My pleasure ;). Most people do find the link mentioned over here :D.

    regards.

    paul
     
  18. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    I actually had a copy sitting around and figured now was as good a time as any to try it. :D

    Since someone asked: Still no conflicts with Windows XP (seems to be extremely stable) or any other programs (AV, AT, etc.) on the system.

    Regards,

    -Javacool
     
  19. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Raygun,
    why do you feel that blocked ports are better than stealthed ports ?
    And "the whole stealthed idea is a waste of time" ?

    regards,
    bill ;)
     
  20. controler

    controler Guest

    I installed Black Ice on one ME machine so far. All I have besides Black Ice is Norton AV 2003. Black Ice keeps shutting down and asking to be restarted. Does this every 30 seconds or so. Going to try it on another ME machine, then My XP machine.

    Why does Black Ice generate Log*.enc and evd*.enc but then only allows you to view those files with a third party peice of software?

    " General Information ------------------------------------------------
    -----------------------------------------------------------------------

    . Packet/Evidence Files

    BlackICE generates packet and evidence logs (log*.enc and evd*.enc
    respectively). To view these files, you will need a utility that
    can read and decode them. This URL lists such utilities:

    http://www.robertgraham.com/pubs/sniffing-faq.html#software-windows"

    The very first packet sniffer listed at the page above is a bad link for me. If I try going to the site below from the site above, I get bad link, If I go from here and just click on the link below, I get a username - password box.
    This is getting confusing kids :(
    ftp://ethereal.zing.org/pub/ethereal/win32/
     
  21. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    For Ethereal try the following link:
    http://www.ethereal.com/

    Some other utuilities for viewing BlackIce log files:

    BlackIce Attack List Viewer
    http://www.philholder.co.uk/blackice/

    IceWatch
    http://www.geocities.com/icewatch2000/

    VisualIce Report Utility
    http://www.visualizesoftware.com/

    ClearIce Report Utility
    http://www.y2kbrady.com/firewallreporting/clearice/index.htm
     
  22. controler

    controler Guest

    Thanks CrazyM
    I will try a few of these out.
    I wasn't aware they also made an Windows XP firewall Log analyzer.

    http://www.y2kbrady.com/firewallreporting/


    I like the link at bottom left of page to watch the firewall interview video with Tech TV :D

    http://www.y2kbrady.com/firewallreporting/callforhelp.htm
     
Loading...
Similar Threads
  1. jadinolf
    Replies:
    19
    Views:
    1,117
Thread Status:
Not open for further replies.